Overview
Respond to an incident based on its confidence and risk levels:
-
High risk and high confidence. The endpoint is likely compromised with an advanced threat that has already circumvented signature or rule-based endpoint security. It is unlikely you will be able to remove the threat with endpoint cleaning tools. Reimage or rebuild the endpoint without backing up the user profile completely; backup documents only. When Cognitive Intelligence detects an active malware infection, this usually requires manual action from your SOC and Desktop teams.
-
Medium confidence or medium risk. The endpoint likely contains malware that can be cleaned with endpoint cleaning tools. Run endpoint scanning and antivirus cleaning tools of your choice. Clean any infections found and monitor the endpoint. If the problem persists, perform a reimage and rebuild of the endpoint without backing up the user profile completely; backup documents only.
-
Everything else (low confidence and low risk). The endpoint may or may not be infected. The alert might be linked with the user following spam or phishing URLs. Perform a normal scan and remove any infections found. If nothing is found, monitor the endpoint for any escalations to prevent malware progress.
Confidence levels:
-
High (100% to 95%)
-
Medium (94% to 85%)
-
Low (84% to 0%)
Risk levels:
-
Critical (10)
-
High (9, 8)
-
Medium (7, 6)
-
Low (5, 4, 3, 2, 1)